FUDforum file access and SQL Injection PROGRAM: FUDforum VENDOR: Advanced Internet Designs Inc. HOMEPAGE: http://fud.prohost.org/ VULNERABLE VERSIONS: 2.0.2, possibly others IMMUNE VERSIONS: 2.2.0 and above LOGIN REQUIRED: no (some issues), admin (some issues) SEVERITY: medium DESCRIPTION: "FUDforum is templatable forum with i18n support based on PHP and either MySQL or PostgreSQL. It features a user/group management system, a multi-lingual spell checker, both flat and thread message views, a private messaging system with mult-iuser forwarding capabilities, poll file attachments, and much more. It is an extremely fast and scalable forum that can fulfill the needs of both small and large forum operators." (direct quote from the program's project page at Freshmeat) FUDforum is published under the terms of the GNU General Public License. SUMMARY: FUDforum has got two security holes that allow people to download or manipulate files and directories outside of FUDforum's directories. One of the holes can be exploited by everyone, while the other requires administrator access. The program has also got some SQL Injection problems. TECHNICAL DETAILS: 1) The tmp_view.php script doesn't check the path of the file that will be displayed, which means that it can be used for downloading any file on the system that the httpd daemon's user can read. You exploit it by surfing to tmp_view.php?file=/etc/passwd. The HTTP headers that are sent back to you will say that the file is an image, which prevents downloading of non-image files in a normal web browser. In that case, you use netcat or telnet to connect directly to the web server, which will get you the file's raw data. This issue doesn't require logging in at all. 2) The adm/admbrowse.php script allows downloading and general manipulation (creation, deletion) of files and directories outside of the FUDforum directories. Here's how to use admbrowse to download /etc/passwd: admbrowse.php?down=1&cur=%2Fetc%2F&dest=passwd&rid=1&S=[someid] FUDforum has got some protection against changing the cur variable like this, but it mostly stops attackers from getting file listings for unauthorized directories. There are many other related issues that it doesn't protect against. This issue requires administrator access. 3) There are some SQL Injection issues in the code. They are of the easy type where we don't really have to inject anything, because there are no apostrophes or quotes around the variable data in the SQL statements. These problems can be found in the scripts report.php, selmsg.php and showposts.php. COMMUNICATION WITH VENDOR: The vendor was contacted on the 17th of June, and they replied really quickly. The stable version 2.2.0, which is immune to these holes, was released on the 4th of July. // Ulf Harnhammar ulfh@update.uu.se